Channels

Services

Thunderbird 2.0.0.14 E-mail client available

Just two weeks after Firefox 2.0.0.14 was released, an updated version of the Thunderbird email client is now also ready for download. The new version closes two security holes through which attackers can inject malicious code.

Both vulnerabilities are related to JavaScript, although it is disabled by default in Thunderbird and the Mozilla developers explicitly warn against activating it. Security advisory MFSA2008-15 discusses crashes leading to memory corruption making it possible to execute infiltrated code. Vulnerability report MFSA2008-14 explains how attackers using crafted JavaScript can escalate their privileges and execute arbitrary code.

The update can be automatically downloaded and installed by clicking on the "Check for updates" option in the Help menu, but an updated version of the complete installer is also available on the Mozilla servers. Thunderbird users should import the update as soon as possible. Linux distributors are also likely to be supplying updated packages shortly.